顯示具有 系統常識 標籤的文章。 顯示所有文章
顯示具有 系統常識 標籤的文章。 顯示所有文章

Make a dual-boot WinPE CD

2012/01/28 20:49 張貼者: Mr.J 標籤: , ,

I’ve been in the workshop for the past several days hammering out a new WinPE product for our technical field-support team.
You may recall from the GSD post WinPE Building and PGP Support Links Updated that I have previously built a highly-customized PGP WDE injected WinPE boot CD to allow our team to manually off-line boot, then authenticate into a PGP v9.x encrypted hard-drive.
Now we are rolling out systems encrypting with PGP Desktop 10.x.  Unfortunately the v10 isn’t backwards-compatible in supporting the v9 encrypted systems.
So I cleared off the workbench and using the techniques I have previously outlined here, built a new customized WinPE boot disk that supports PGP-WDE 10.x.
Only there was one problem; we currently now have a mixed PGP-WDE environment where some systems are running PGP Desktop v9.x and others are running v10.x.
I started to plan just having the techs carry both WinPE boot disks with them.  But that seemed silly.  The WIM files were both very small.  Too bad I couldn’t include both BOOT.WIM files on the same CD as the rest of the CD structure was identical.
Or could I…..?
I knew a suggestion Brett had made earlier that with some BCD file editing on a customized WinPE booting USB stick, that I could multi-boot different WinPE BOOT.WIM.  We outlined that process in this GSD WinPE Multi-boot a Bootable USB Storage device post. I can tell you it works like a charm.
But surely that doesn’t work for WinPE CDs. That’s crazy talk. Right?
Nope. Works fine.
David over at the “ITC Guy’s Doodles” blog has it all laid out, simple as can be (with screen-shots):
David and I are assuming here you already have the WAIK installed and are long-past the steps regarding building a customized WinPE build or two. If not, check out these GSD posts first for some background if needed:
Once you’ve done that and have your primary WinPE folder structure set as well as your custom BOOT.WIM files ready you basically do this:
  1. Launch your WAIK Deployment Tools Command Prompt (in Windows 7 I chose to run it elevated as Administrator).
  2. Change directories to your WinPE building folder (in my case it was C:\winpe_x86 yours may differ adjust recipe accordingly for your WinPE baking altitude).
  3. Copy into the c:\winpe_x86\ISO\sources folder the BOOT.WIM files you want to include. Note they will need to be named different things. Your first/default booting wim can remain “boot.wim” to keep things easy, but the 2nd (and each additional one if so desired) should be named something more descriptive.
  4. Next you will need to edit the BCD file for the booting build which is located in C:\winpe_x86\ISO\boot location.
  5. Follow David’s steps to make a copy of the default boot entry item to a new second one with a different boot guid. Then you need to “fix” some of the copied sub-items to associate with the new guid value.
  6. Finally, you can rename the default boot item description to something more meaningful.
Use oscdimg to build the ISO file and when you boot it, you should now see your different boot image options appear on the boot selection menu!
Sweet!
I’m  not aware of any limitations to the number of different bootable wim files you can have.  I suppose that’s mostly limited to the size of your CD/DVD media (if not USB-booting) as well as the size of the custom WIM files themselves.
So for me, I now have one physical bootable CD with two distinct WinPE boot choices…one for PGP v9 and one for PGP v10 support.  Locked and loaded now baby!
In theory, if you weren’t really comfortable with all this CLI work, you could use one of two GUI based tools to edit the \winpe_x86\ISO\boot\BCD file.
EasyBCD 2.1.2 - NeoSmart Technologies supports WinPE BCD files. There is also a EasyBCD 2.2 Beta Build that may have additional support. Check out the forum as well as this Multiboot WinPE CD - How to specify .WIM forum post for some tips.
In fact, somewhere between eating lunch, listening to a football game, and trying to pay attention to a holiday story Lavie was telling me while I was following David’s steps, my own “descriptions” work for the BCD file got mixed up a bit and I wasn’t getting the custom boot descriptions to appear as desired.
I was able to quickly and easily use the Visual BCD Editor - Windows 7/Vista to clean up the mess I made and get it all put right.  So if you knew what you were doing, you could do it all from the GUI with this tool rather than the CLI.
Anyway, thanks to Bret for his original tip and for David for the game-walkthrough for making a multi-boot WinPE CD.

轉自 http://grandstreamdreams.blogspot.com/2012/01/make-dual-boot-winpe-cd.html

0 意見  

The Password is…

2012/01/25 20:27 張貼者: Mr.J 標籤: , ,

Last week we got a call from one of Lavie’s cousins. She and her husband had suddenly began getting phone calls from concerned friends as well as strange “undeliverable” email notices.
Mysteriously, at least one email had been sent from their on-line email account to all the recipients in their contacts in batches of ten or so.  Some folks had told them their own security apps had alerted when they tried to follow the link in the email.
It was pretty apparent to the couple that “something” was amiss with their PC but exactly what, they weren’t sure. They had already downloaded a second anti-virus tool and scanned their system with nothing found. They decided to call me to see if I could help them. I recommended they change the password and any security challenge questions immediately which they did, then arranged for a house-call the following day.
I already had a clue on what probably occurred, but went though my full checklist of items as I assessed the system. No rouge processes, no unexpected auto-start items. Additional security scans came through with flying colors.
Then I turned my attention to their email account.  This particular email provider (unfortunately) doesn’t provide any IP-based user sign-in event logging like some other main-stream web-mail providers do. That would have provided golden information.
What we did have is one overlooked original email in the “Sent” folder showing a mail time of 8:15 PM Wed night.  Neither of the couple reported being logged in on the system (or the email) at that time so it seemed fairly certain that is when the event occurred.
I mailed that to myself to look into the URL more later.
They use IE 9 and the system was fully patched. Flash and Java were outdated, but not too bad.
Based on my survey and additional questioning, it appears to me that someone had “hacked” their account using some kind of brute-force attack on their account, quickly they had composed at least one email containing a single URL to everyone in their address book.  I couldn’t find any evidence of a persistent threat on their system, and based on their feedback, I doubted a cross-site-scripting vulnerability had occurred.
For the really curious, here is a link to the urlQuery (free online URL scanner) findings from that particular URL I found: urlQuery scan result. Turns out that particular link leads to a compromised (?) website serving up fake AV scanner malware via some JavaScript code.  That is why some recipients of the email were likely getting alerts when they visited the site. Sneaky.
Turns out hacking email accounts and appropriating them (even “non-maliciously”) for spamming is big business and a common event for many web-citizens.
This couple -- it turns out -- had been using a very weak password so it fell probably pretty fast.
Turns out weak passwords remain a common plague.
ISC Diary | Analysis of the Stratfor Password List is another clear warning of this danger.
Steve Ragan posted a simply amazing Report: Analysis of the Stratfor Password List which has crazy fascinating data on passwords and just how weak most of them were, along with his own password cracking work to show just how easy these fall.  See also: Researchers find many weak Stratfor passwords -Naked Security.
And just over the weekend there was this: Zappos customer info is breached. Change your password now! [Updated] - TechBlog via Chron.com
What is one to do? This maybe?
z0sfabbn.qeg
If you want a quick way to assess the complexity/strength of the passwords you may have stored in your web-browser or some Windows applications, check out the Password Security Scanner freeware tool by NirSoft.
Some highly recommended online locations to check your current password strength against are:
Coming up with a truly secure and complex password can be a major task for some folks. And the web has no dearth of fantastic advice on the subject of what defines a strong password and how to create one.
From SophosLabs via YouTube
And just today, Lifehacker released a super-cool mega-graphic on password selection
Troy Hunt did a series of great, in-depth posts on password selection and science that are must-reads. I’m liking Troy’s writing and analysis and his blog has been added to my RSS must-read feed list.
Those last two points are my takeways, that nothing is more frustrating that internal application or external website password policies that are weak by design and force me to use a short password. And that the best password is one so damn complex there is no way I can remember it, even under duress.
I prefer to use the longest password the site/application will accept based on character count. (By the way…seriously guys, place your password policy and field limits up front to make this easy to figure out!)
How do I come up with one? I use two tools, a portable password manager application that stores the passwords in an encrypted container and a utility to generate randomized gobbly-gook passwords. In fact, many of the first item include the second item as a built in feature.
I linked to some of the GRC random password generators earlier but these other free portable password generation tools are great:
  • Password Guru - CEZEO Software generates complex and secure passwords with rule filters for length and special characters.
  • Password Generator - Gaijin Software - can generate up to 1000 passwords at once with advanced rule filters. Also includes a password checker to test password strength.
  • Password GeneratorXP - I’ve been using an ealier version of this app for a very long time. Latest version is 1.5 updated in December 2011.  Can generate random passwords up to 99 characters long! Rules allow character inclusion/exclusion and supports special symbols. Super app.
  • PWGen - Open-Source Password Generator for Windows using AES and SHA-2 crytography methods. Can support passwords with up to a crazy 20,000 length, can be fed a wordlist includes file if you prefer, can exclude “ambiguous” characters (like o and 0, l and 1, etc.). It can create up to 1,000,000 passwords at a time based on your rule patterns, or a single password instantly. The included manual file is great reading regarding password security in general and not just the program operation itself.
  • PassworG - Free password generator software - pretty simple to use but strong password generator that might be easier for some folks to use.
So how do you manage these complex passwords?
Pick at least one tool from each category and learn to use them, then use them always.
And for those of you who say “Claus, put all my wicked crazy passwords (from PWGen) in an encrypted database password manager (KeePass) and stick them on my USB drive for fast access? What if I loose it?”
I suppose you could create a TrueCrypt encrypted file, then put the encrypted KeePass data base inside it…
Just be sure you select a different crazy complex random password for each of them.
And put them in another password manager for safekeeping in case you forget.

 轉自 http://grandstreamdreams.blogspot.com/2012/01/password-is.html

0 意見  

It’s a USB Thing

2012/01/24 20:24 張貼者: Mr.J 標籤: , ,

I was working on a USB project recently and needed to capture an image of a USB device for restoration.
That got me reviewing my pile of USB tools and looking for updates. Found some and a bunch of new-to-me freeware USB tools.
Here you go.
USB Image Tool - alex’s coding playground - updated to v 1.58 with some nice fixes.
ImageUSB - Write an image to multiple USB Flash Drives - PassMark Software - great standalone tool to make/push images of USB flash drive devices. Hard to go wrong with this one!
USB Disk Ejector - Quick And Easy Software - This is a “cutsie” app but seems much easer to me to use than hunting in the system tray for the Windows USB device ejection method. Definitely makes it easier to identify the correct device when there are more than one connected and I’m rushing.
Dev Eject - Stop right now and add this one to your utility pile. Seriously. A co-worker has been having problems ejecting USB HDD devices from his XP system and turned to me to figure things out. He didn’t think he had any open calls to the device running and OpenedFilesView didn’t report any clues either. I turned to Dev Eject and immediately found the culprit: Symantec AV seemed to be doing a file-scan (slowly) when he was ejecting the device. More info in this AddictiveTips post: Identify Processes Hindering Removable Media Ejection With Dev Eject.
Use command line to safely remove USB drives by Mike Williams at BetaNews has a lot of clever tips.
Want lots of freeware USB tools? Serious, low level USB tools? CLI USB tools (and then some)?
Uwe Sieber’s got you covered! Drive Tools for Windows
  • RemoveDrive V2.2 - Safe removal of drives
  • RestartSrDev - restarts "Safely Removed" devices which have the "Code 21" problem code
  • EjectMedia V2.2 - ejects a media from a drive
  • ReMount - reassigning mounpoints (change drive letters)
  • ListDosDevices
  • USB-WriteCache V0.1
  • USB Drive Letter Manager - USBDLM (Note: USBDLM is Freeware for private and educational (schools, colleges, universities) use only.)
HotSwap! - Kazuyuki Nakayama - gives more friendly interface than the “Safely Remove Hardware” icon in the system tray does.
USBLogView - NirSoft tool to record all USB devices plugged into a system and logs to a file.
USBDeview v2.00 - NirSoft tool to list all USB devices plugged into a system as well as all USB devices previously used (with details).
RMPrepUSB - Tool to partition and format USB drive and make it bootable. Free for private use only. If you know what you are doing, this tool isn’t needed but it goes a long way to helping noobies and the author has a large number of tutorials as well. More here: RMPrepUSB – Amazing USB Formatting Tool! - post from AgniPulse,RMPrepUSB : Install Windows on USB, Speed up USB and do more with it via The Windows Club and RMPrepUSB: Create Bootable Windows/Linux USB, Test R/W Speed & More post via AddictiveTips.
How To Create Customizable Multiboot System Rescue Disk - AddictiveTips post on using SARDU builder to make a multiboot USB tool.


 轉自 http://grandstreamdreams.blogspot.com/2012/01/its-usb-thing.html

0 意見  

Digital Image\Video Resources

2012/01/23 20:22 張貼者: Mr.J 標籤: , ,

Little bro recently made a Christmas contribution to the “Claus-needs-a-new-hobby” campaign.
While a portion of it does involve me staying up much later each night now (like I needed that bad-habit) reading George R. R. Martin's “Game of Thrones” series on my Kindle, the most recent focus is the coming addition of a Canon PowerShot S95 to my photography tools.
For the longest time I have been seriously looking at the newer digital rangefinder class of cameras and the Olympus PEN E-P1 (Amazon link) fell into my price-point. I’ve yearned for this one for some time, however this particular model has been updated several times (more $$) and the Canon PowerShot S95 (Amazon link) was in the same range (price-wise). Though it also has a newer version, this one just seemed to have many more features (do I really need 1080p video when the S95’s 720p only video may never get used either?).
In the end it was the collection of Flickr: Canon PowerShot S95 group photos that sold me on it along with the smaller (pocket/backpack) format over the E-P1. It came down to me being honest with myself. I can’t take good pictures and improve my technique if I don’t carry the camera with me almost all times to take pictures to begin with…and the S95 is much more pocketable (and less imposing when in use) than the E-P1 or my Canon Rebel XT DSLR. So, photography links on the sidebar have been amended to remove the PEN and add the S95.
Hope to share some pics from it soon.
So, that leads us into these great digital imaging tools I’ve found recently (or have been updated).
Microsoft Research Image Composite Editor (ICE) - This remains my favorite image-stitching tool. Can also handle video stitching techniques: Microsoft ICE update–video to panorama, lens vignette, improved blending - HD View
Hugin - Panorama photo stitcher - This is a new-to-me project. It looks a lot more sophisticated that ICE so I’m looking forward to trying it out as well. It has a lot of control.
Scarab Darkroom - Beta version is free. From the page “Scarab Darkroom is a digital camera raw file converter/photo editor that supports most raw format capable cameras from Canon, Nikon, Olympus, Panasonic, Pentax, Samsung, and Sony. It is fast, easy to use, and produces excellent results. Development is still at the beta version stage.”  My S95 has Raw+JPEG shooting format…. More here at AddictiveTips: Edit And Convert RAW Images To JPG With Scarab Darkroom
It’s been a while since I last posted a roundup of freeware video editing tools: grand stream dreams: Video-Editing Resource Roundup
Here are some new links: Top 3 free video editing software for Windows 7 via The Windows Club links to Avidemux, VirtualDub, and VideoSpin.
What amazes me is that the pro-class Lightworks Open Source Project (free!) for video editing never seems to come up. It is incredible. Is it too complicated? I’m looking forward to shooting some 720p video to experiment with the application.

轉自 http://grandstreamdreams.blogspot.com/2012/01/digital-imagevideo-resources.html

0 意見  

Utility Updates

2012/01/22 20:19 張貼者: Mr.J 標籤: , ,

Quick linkfest running down some old tools updated and new tools discovered.
Autoruns v11.21: This update to Autoruns fixes a number of minor bugs, including one that could result in a crash when certain scheduled tasks are configured. Microsoft Sysinternals.
Process Explorer v15.12: This update to Process Explorer makes the search dialog asynchronous and reports the types of found items. It also fixes several bugs, including showing a small font when run after an older version, a bug in the restart-process functionality, working set columns not showing data, and again shows information about service processes when run from an unprivileged user account. Microsoft Sysinternals.
Strings v2.42: This Strings release fixes a bug that would result in a crash when the –n or -b options are specified without a file name. Microsoft Sysinternals.

Mark’s Blog: Case of the Installer Service Error: Follow along with Mark in another of his popular ‘Case of the Unexplained’ troubleshooting examples where he retraces the steps of a network administrator that used Process Monitor to figure out why the Windows Intune installer failed on one of his systems and goes on to fix the problem. 

Mark’s Blog: The Case of My Mom’s Broken Microsoft Security Essentials Installation: Mark goes deep with the Sysinternals tools to fix a corrupt installation of MSE on his mom’s PC over the holidays.

CSVed 2.2.1 - Now at 2.2.1 version.  See also NirSoft’s CSVFileView
CCleaner v3.14 - Piriform - System cleaner
Recuva v1.42 - Piriform - File recovery tool
Speccy v1.14 - Piriform - System information collector
CCEnhancer - v 2.5 - SingularLabs - plugin for CCleaner adding support for over 500 additional aps.
JavaRa - v 1.16 - SingularLabs - not updated but great tool to remove old/redundant versions of JRE.  Now under development is JavaRa 2.0 alpha build which includes updating, removal and some additional bells-n-whistles.
Wecode.biz: Alternative Flash Player Auto-Updater - interesting tool to help update Adobe Flash Player. The latest builds of Flash Player do have an auto-updating feature baked in but it doesn’t (to me) seem to fire off and find newer builds as quickly as I would like to see. This is an alternative that might work good on friends and family PC’s.
ISC Diary | Newest Adobe Flash 11.1.102.55 and Previous 0 Day Exploit -Why keeping Flash updated is important…as if we didn’t need a reminder.
Crystal Dew World - lots of updates here including CrystalDiskInfo and CrystalDiskMark
PST Viewer - Free tool to open and view content of PST files without Ms Outlook - Kernel Data Recovery. See also this review: Gave up Microsoft Outlook but need your PST file? There's an app for that - BetaNews. I like this tool in that when I recently had to carve the PST files off a nuked HDD to recover an end-users PST files, I got a ton of them. Rather than mounting each one to a working Outlook client profile, I just fired up this tool to inspect them with the user to find out which ones we wanted to attach and which ones were duplicates. Saved a boat-load of time. Could be good for incident responders as well.
Highlighter v1.1.3 Released - Mandiant M-unition blog notice. Download link
Download Batch Compiler - SourceForge - You need to install on a system (not portable) but still could be a great resource for building more complex batch files. See more info here at AddictiveTips: Batch Compiler: Create Batch Scripts & Convert Them To EXE Format
Splashtop Remote Desktop - interesting new tool for remote connection management. See this Splashtop Is A Better Alternative To Windows RDP at Windows7hacker blog.
Windows Live Writer Backup - Codeplex project page - See this Windows Live Writer Backup post at Windows7hacker blog.

轉自 

0 意見  

File and Folder Linkfest

2012/01/21 20:20 張貼者: Mr.J 標籤: , ,

As we continue the dig-out over here at the Valca link farm we now must turn attention to file and folder management tools.

Track Folder Changes - CodePlex project page - really clever tool still in development that shows (real-time) as files/folders are being changes for a specific folder/directory to be monitored. Nice GUI. More information at Track Folder Changes in Real Time Windows7hacker post and Track changes to folders with Track Folder Changes post at freewaregenius.

SearchMyFiles - NirSoft - Soo love this tool! It’s one of my must-haves for file-finding.
Everything Search Engine - Love this one too. Wicked fast but does it by building its own index database. Doesn’t search within files; just file/folder names.

UltraSearch - Freeware for Ultra-Fast File Search - JamSoftware - A bit like Everything but doesn’t build an index database rather relies on the MFT. Comes with a portable version.
Locate32 Web Site - Another nice free Windows file indexing application.

eXpress FreshFiles Finder - Super-great tool to quickly find the “freshest” files on a system.
FileProcessor - really powerful tool to find files as well as perform a number of actions on those found files. More info via AddictiveTips: FileProcessor: Set Filters, Search & Perform Batch Actions On Files
SpaceSniffer - Love it to visualize space usage on drives.
GetFolderSize - Interesting tool for scanning file/folder size usage on drives. Different GUI but pretty cool! Spotted via GetFoldersize to Determine the Size of Folders on Your Hard Drive - Windows7hacker.
FolderSize - Jan Horns tiny but quick app for folder size reporting.
NoVirusThanks Freeware tools - interesting tools (free and commercial) for Windows system monitoring. Good overview on them here: NoVirusThanks releases four handy system monitoring tools as freeware -Softwarecrew.
TestDisk - CGSecurity - Now at Version 6.13 for file/disk recovery.
ODIN - Open Disk Imager for Windows - interesting GUI/CLI based tool for drive backup and imaging. More info via AddictiveTips: Backup, Restore And Verify Disk Images With ODIN.
Hardwipe | File & Drive Wiper - GSD has had a number of posts already regarding file/drive wiping but this new-to-me tool is worth mentioning here. More info via AddictiveiIps: Easily Wipe & Clean Files, Folders And Hard Drives With Hardwipe.
Forensic Riddle #5 – Answer - Hexacorn Blog has been posting a series of great puzzlers this one leads us to this clever Microsoft resource: Naming Files, Paths, and Namespaces.
TakeOwnershipEx - WinAero - GUI tool that allows you to get full access to files and folders. More info via AddictiveTips: Take Ownership Of Files And Folders In Windows 8.
Kickass Undelete - Browse /Kickass Undelete 1.2 beta - SourceForge.net - I really like this tool for file recovery. It’s not a all-in-one recovery tool, but is another great utility to keep on your response toolbelt.
WinAero: Librarian - powerful libraries manager for Windows 7. Slick interface and easy tool to use.
BExplorer (Better Explorer) - CodePlex - I want to like this project very much. I’m not feeling the love of the existing Windows 7 explorer menu-bar and this would go a long way to making it more powerful to use. However I’ve also had stability/installation issues on both Win7 x32/x64 systems so while it is on my “watch-list” it isn’t yet installed on my system.
FreeCommander - This alternative dual-pane Windows file manager remains top-of-the-heap on my systems. It is required usage here at GSD. I’ve still not found a better alternative though many come close. The developer is hard at work on a new version and the betas look very slick and powerful. Whenever the final public release of that one comes out.
My Commander - The interface on this one looks remarkably similar to FreeCommander. It comes in both 32bit and 64 bit flavors. It is quite nice and would probably be a close runner-up.
NexusFile: File Manager for Windows - This is one with GUI attitude. Want a nice “dark” look? This is it.
Explorer++ - I like this one as a USB stick alternative. Constantly updated and in both x32/x64 flavors it is a single EXE file which makes it nicely portable.
A43 - this was my original love in alternative WIndows file managers. It remains alive in development and has a lot of handy plugins in a format that others don’t seem to offer. Check it out.

0 意見  

EXIF/meta-data Linkage

2012/01/20 20:18 張貼者: Mr.J 標籤: , ,

Been sitting on these for a while (sigh).
Why do we care about meta-data (examining and/or purging)?
Well for starters “dere’s gold in dem dere hills!”
“Did you map all of the USB removable storage devices that had been connected to the system?  You don't need to have the management software installed to copy images and videos (hint, hint) off of a phone...just connect it via a USB cable and copy the images (which will likely have some very useful EXIF data available).”
In addition, there are a number of freeware (and $-$$$$) image viewers/tools that also include meta-data handling embedded in them. This post is focused on meta-data specific tools. I’ll post linkage on some of the other applications that are more in this later class soon.


轉自 http://grandstreamdreams.blogspot.com/2012/01/exifmeta-data-linkage.html

0 意見  

Active Directory Linkfest

2012/01/19 20:12 張貼者: Mr.J 標籤: ,

I’m working hard at getting up to speed on the whole Microsoft Active Directory thing.
Until lately, I’ve not had either the need nor the opportunity to get heavily involved in supporting customers in a full-blow AD environment. Sure, there are some basic “foundational" things I’ve been able to pick up and use, but now we are moving forward into a brave new world and I gotta kick up my expertise a bit. I’ve already purchased and am working through this excellent Active Directory: Designing, Deploying, and Running Active Directory, Fourth Edition (Amazon.com link) book to get the ball rolling.
So expect a few more AD-related posts around here…at least on the front end they will be more resource linking related as I fill out my virtual bookshelf.
The 4sysops - For Windows Administrators website hosted by Michael Pietroforte is my go-to source for the best of tools and tips related to Windows system administration. It is full of great information and resources related to Active Directory items!
Expect more AD-related resource posts moving forward.
If you have any great and free AD-related tools, tips and resources please share in the comments!
Cheers!

轉自 http://grandstreamdreams.blogspot.com/2012/01/active-directory-linkfest.html

0 意見  

Jump List Analysis

2012/01/09 21:53 張貼者: Mr.J 標籤:

I've recently spoke with a couple of analysts I know, and during the course of these conversations, I was somewhat taken aback by how little seems to be known or available with respect to Jump Lists.  Jump Lists are artifacts that are new to Windows 7 (...not new as of Vista...), and are also available in Windows 8.  This apparent lack of attention to Jump Lists is most likely due to the fact that many analysts simply haven't encountered Windows 7 systems, or that Jump Lists haven't played a significant role in their examinations.  I would suggest, however, that any examination that includes analysis of user activity on a system will likely see some significant benefit from understanding and analyzing Jump Lists.

I thought what I'd try do is consolidate some information on Jump Lists and analysis techniques in one location, rather than having it spread out all over.  I should also note that I have a section on Jump Lists in the upcoming book, Windows Forensic Analysis 3/e, but keep in mind that one of the things about writing books is that once you're done, you have more time to conduct research...which means that the information in the book may not be nearly as comprehensive as what has been developed since I wrote that section.

In order to develop a better understanding of these artifacts, I wrote some code to parse these files.  This code consists of two Perl modules, one for parsing the basic structure of the *.automaticDestinations-ms Jump List files, and the other to parse LNK streams.  These modules not only provide a great deal of flexibility with respect to what data is parsed and how it can be displayed (TLN format, CSV, table, dumped into a SQLite database, etc.), but also the depth to which the data parsing can be performed.

Jump List Analysis
Jump Lists are located within the user profile, and come in two flavors; automatic and custom Jump Lists.  The automatic Jump Lists (*.automaticDestinations-ms files located in %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations) are created automatically by the shell as the user engages with the system (launching applications, accessing files, etc.).  These files follow the MS-CFB compound file binary format, and each of the numbered streams within the file follows the MS-SHLLINK (i.e., LNK) binary format.

The custom Jump Lists (*.customDestinations-ms files located in %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations) are created when a user "pins" an item (see this video for an example of how to pin an item).  The *.customDestinations-ms files are apparently just a series of LNK format streams appended to each other.

Each of the Jump List file names starts with a long string of characters that is the application ID, or "AppID", that identifies the specific application (and in some cases, version) used to access specific files or resources.  There is a list of AppIDs on the ForensicsWiki, as well as one on the ForensicArtifacts site.

From an analysis perspective, the existence of automatic Jump Lists is an indication of user activity on the system, and in particular interaction via the shell (Windows Explorer being the default shell).  This interaction can be via the keyboard/console, or via RDP.  Jump Lists have been found to persist after an application has been deleted, and can therefore provide an indication of the use of a particular application (and version of that application), well after the user has removed it from the system.  Jump Lists can also provide indications of access to specific files and resources (removable devices, network shares). 

Further, the binary structure of the automatic Jump Lists provides access to additional time stamp information.  For example, the structures for the compound binary file directory entries contain fields for creation and modification times for the storage object; while writing and testing code for parsing Jump Lists, I have only seen the creation dates populated.

Digging Deeper: LNK Analysis
Within the automatic Jump List files, all but one of the streams (i.e., the DestList stream) are comprised of LNK streams.  That's right...the various numbered streams are comprised of binary streams following the MS-SHLLINK binary format.  As such, you can either use something like MiTeC's SSV to view and extract the individual streams, and then use an LNK viewer to view the contents of each stream, or you can use Mark Woan's JumpLister to view and extract the contents of each stream (including the DestList stream).  The numbered streams do not have specific MAC times associated with them (beyond time stamps embedded in MS-CFB format structures), but they do contain MAC time stamps associated with the target file. 

Most any analyst who has done LNK file analysis is aware of the wealth of information contained in these files/streams.  My own testing has shown that various applications populate these streams with different contents.  One thing that's of interest...particularly since it was pointed out in Harry Parsonage's The Meaning of LIFE paper...is that some LNK streams (I say "some" because I haven't seen all possible variations of Jump Lists yet, only a few...) contain ExtraData (defined in the binary specfication), including a TrackerDataBlock.  This structure contains a machineID (name of the system), as well as two "Droids", each of which consists a VolumeID GUID and a version 1 UUID (ObjectID).  These structures are used by the Link Tracking Service; the first applies to the new volume (where the target file resides now), and the second applies to the birth volume (where the target file was when the LNK stream was created).  As demonstrated in Harry's paper, this information can be used to determine if a file was moved or copied; however, this analysis is dependent upon the LNK stream being created prior to the action taking place.  The code that I wrote extracts and parses these values into their components, so that checks can be written to automatically determine if the target file was moved or copied.

There's something specific that I wanted to point out here that has to do with LNK and Jump List analysis.  The format specification for the ObjectID found in the TrackerDataBlock is based on UUID version 1, defined in RFC 4122.  Parsing the second half of the "droid" should provide a node identifier in the last 6 bytes of stream.  Most analysts simply seem to think that this is the MAC address (or a MAC address) for the system on which the target file was found.  However, there is nothing that I've found thus far that states emphatically that it MUST be the MAC address; rather, all of the resources I've found indicate that this value can be a MAC address.  Given that a system's MAC address is not stored in the Registry by default, analysis of an acquired image makes this value difficult to verify.  As such, I think that it's very important to point out that while this value can be a MAC address, there is nothing to specifically and emphatically state that it must be a MAC address.

DestList Stream
The DestList stream is found only in the automatic Jump Lists, and does not follow the MS-SHLLINK binary format (go here to see the publicly documented structure of this stream).  Thanks to testing performed by Jimmy Weg, it appears that not only is the DestList stream a most-recently-used/most-frequently-used (MRU/MFU) list, but some applications (such as Windows Media Player) appear to be moving their MRU lists to Jump Lists, rather than continuing to use the Registry.  As such, the DestList streams can be a very valuable component of timeline analysis.

What this means is that the DestList stream can be parsed to see when a file was most recently accessed.  Unlike Prefetch files, Jump Lists do not appear (at this point) to contain a counter of how many times a particular file (MSWord document, AVI movie file, etc.) was accessed or viewed, but you may be able to determine previous times that a file was accessed by parsing the appropriate Jump List file found in Volume Shadow Copies. 

Summary
Organizations are moving away from Windows XP and performing enterprise-wide rollouts of Windows 7.  More and more, analysts will encounter Windows 7 (and before too long, Windows 8) systems, and need to be aware of the new artifacts available for analysis.  Jump Lists can hold a wealth of information, and understanding these artifacts can provide the analyst with a great deal of clarity and context.

Resources
ForensicsWiki: Jump Lists
Jump List Analysis pt. I, II, III
DestList stream structure documented
Harry Parsonage's The Meaning of LIFE paper - a MUST READ for anyone conducting LNK analysis
RFC 4122 - UUID description; sec 4.1.2 describes the structure format found in Harry's paper; section 4.1.6 describes how the Node field is populated
Perl UUID::Tiny module - Excellent source of information for parsing version 1 UUIDs 


轉自 http://windowsir.blogspot.com/2011/12/jump-list-analysis.html

0 意見  

vdi與vmdk/vhd/raw之間的轉換

2011/12/30 20:46 張貼者: Mr.J 標籤: ,

Virtual Disk Conversion
VirtualBox uses VDI files for primary hdd image. After you export the VM it will become a VMDK. I f you want to convert it back to VDI, or just want to convert image type you can do it with the following command:
Syntax:
#VBoxManage.exe internalcommands converthd -srcformat FORMAT1 -dstformat FORMAT2 SRCFILE DSTFILE
Example:
v:\VM\HD>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" internalcommands co
nverthd -srcformat VMDK -dstformat VDI V:\VM\HD\W2003_Ent_R2_SP2.vmdk v:\VM\HD\W
2003_Ent_R2_SP2_DC.vdi



轉自  http://www.cnblogs.com/ysun/archive/2011/10/11/2206737.html

0 意見  

Windows 8 Forensic Overview

2011/12/11 16:09 張貼者: Mr.J 標籤: , ,

I finally submitted my term paper for my Forensics class, While there are some things to be said for waiting until the last minute, my problem was as I delved into the four points I wanted to cover, I found Windows 8 exhibiting some interesting behavior, I also noticed that some of the things I thought would change, did not.


I will be making my paper available for download soon, but I need to clean up a few things, and will let you know when you can grab it. Meanwhile, here is a few things that I want to pass on. 

When I initially started this paper I took a dive into Windows Registry I was at a loss with what to look for. I posted questions onto Twitter with some guidance of where to look. Eventually I stumbled across the Registry Key called TypedURLsTime, trying to decipher the value contained in the data field I posted to Twitter the information I was looking at.  Harlan Carvey explained that this data is filetime data; I came to rely on the experience of Harlan and others as I asked questions, I am grateful for their experience and willingness to answer my questions and be patient with me. Harlan, went as far to help as sending me a copy of his Windows Registry Forensics book, this is an incredible resource for anyone interested in looking at and understanding the registry.

Building off what I learned from Harlan's book Windows Registry Forensics I was able to confirm that the primary registry hives, SAM, System, Security, Software, NTUser and UsrClass all were retained within Windows 8.  I returned to the Registry Keys for the typedURLs and TypedURLsTime and did some more digging around. Here are the keys below for reference, as you can see URL10 is in both locations, one showing the location visited and the other the filetime that is was accessed.



Through some more analysis of the registry I came across the following keys, which appear to be related to the Immersive Browser that Microsoft is pushing in Windows 8. I attempted to test the typedurls-immersive-browser key, but this feature was not accessible in this build.




While listening to Wade Wegner presentation at the 2011 Build conference, Microsoft touted the ability to allow applications and user to save data to the cloud. With the option of using your Windows Live ID as your user name to facilitate this idea I decided to look a little more regarding this. I found the following while digging into the directory structure of a Live user:

C:\Users\USERID\AppData\Local\Microsoft\Windows\Live\Roaming\2d5b1639895c2556\CloudSync


Within this directory there were numerous files with the SDF file type, some of the files are named the same as the immersive browser keys in the previous images. I decided to look further into the registry to see if I could find any reference to the CloudSync option and I came across the following:




It appears that the Immersive Browser and CloudSync Registry keys will need to be analyzed further. I am planning on looking into them more over the next few weeks, will update blog with the information.

When I was typing out this blog I had I was going to delve deeper into Jump Lists, but they appear to be similar to the Windows 7 area, and felt that my research could be utilized in a different approach. It does not appear that Metro Applications keep a jump list; instead they keep their information in the respective program folder within AppData. I noticed this behavior while utilizing the PicStream Metro App. Digging into the file path I found the following folder structure:



Within each of those sub directories there was a regular file and a file slack for each image I viewed through Picstream application. Further research should define the naming convention of the INetCache sub directories.

Within the Windows 8 Operating system, they have introduced file history backup which changes the way that backups were previously used. In previous versions of windows, backups could only be maintained and restored using the default system. Within windows 8 this solution is more robust and allows backups to be stored both on removable media and remote network shares. By default this will backup folders such as Music, Documents, Videos, Contacts and Favorites.

There are a few artifacts that are established when file history is turned on, this includes File History folder, Registry Value, and Windows Events. The file history folder can be found at C:\Users\USERID\AppData\Local\Microsoft\Windows\FileHistory within this folder there is a configuration folder and a data folder. The data folder is a temporary staging directory for the files that are to be backed up. The Configuration folder contains at least 2 files, they are an EDB file named Catalog#.edb and a XML file names Config#. These files are created both Locally and on the drive being used as backup. As of this writing I have not be able to explore the EDB file. The Config file on the other hand offers the following information: 




If the File History option has been turned on there is also a registry key that is created, this key is only found on users that have turned on this feature. The Registry key can be found at:
HKU\Software\Microsoft\Windows\CurrentVersion\FileHistory 


Within this directory there is a key named ProtectedUpToTime that shows the last time this process backed up the files. This value can be deciphered utilizing a 64 Bit Hex Value - Big Endian values. The DCode application can handle this.





There is also another area in the HKLM registry that may provide more information and keys of importance, this is t. This is the FHSVC which is the File History Service and can be found here: 
HKLM\System\Controlset001\Services\fhsvc. 

Keys in the FHSVC folder













Keys in the Config files








Another area worth looking at in gathering File History information is within the System Events. The following Event Sources provide us with auditing information related to the File History:
  • FileHistory-Catalog
  • FileHistory-ConfigManager
  • FileHistory-Core
  • FileHistory-Engine
  • FileHistory-EventListener
  • FileHistory-Service
The final features of Windows 8 that I am going to cover in this blog are the Refresh and Recovery options. The Recovery feature will bring your windows to a factory state, similar to re-installing the operating system, the refresh feature acts like a restore point, but will clean everything needed for the OS to run, leaving individual files, and applications from the Microsoft store untouched, deleting any other 3rd party application.

When looking at a refreshed image of the windows operating system within AccessData FTK Imager, there are three items that are quickly noticed. These are two partitions and an unpartitioned space.





Partition 1 is a 350MB partition that contains the information needed to boot up the operating system. There are a few interesting files that can be found in this partition that can provide some more clues about what has happened on with the operating system and if the device has been recovered or refreshed. When comparing this partition against machines that have had the refresh/recover option ran against them and those that have not we can see some differences in files.























The screen shot on the left is from a machine that has not been refreshed or restored, while the one on the right has been refreshed. From my analysis of this partition from a refreshed or recovered is there will be more unallocated spaces in a recovered machine. On all images there is a folder called Recovery in the System32 folder, within this directory there is a file called ReAgent.xml, this file is used to recover or refresh. 

On a Refreshed/Recovered machine there is a new folder named Log under the recovery folder. In that folder is a file called Reload.XML. The Reload.xml is an updated ReAgent.xml file; it will also have a different timestamp from the ReAgent. This folder and file will give a good idea if the machine has been refreshed or restored. Out of the 24 lines in these xml files, the only line different is:


                    

For a non-refreshed or recovered system the state and status would both be 0.

Partition 2 is the main system partition that is mapped to the C: Drive. This partition also allows us to know if the machine was refreshed or restored. A restored machine will have a lot of unallocated spaces of various sizes that can still be data carved against. The directories and files shown between a Restored and a Non-Restored machine will be similar, but against a refreshed machine there will be two new Directories that contain data. These folders are the $SysReset and Windows.old, as can be seen below.





Within these folders we can still access the previous data that was on the drive, this data still remains in its file structure under the Windows.Old folder. Within the $SysReset there are two directories that contain what appears to be potential useful information. Within the Logs folder there are three files that will provide some usable data. The SystemResetPlatform.log and the setupact.log provides details of what was changed, the MigLog.xml will contain the Users that were retained and their current mappings. This can be beneficial after a reset a user account is deleted.  There two files located in the Framework/Migration/Preserve that also may provide evidence at a later date, they seem to deal with the Microsoft Store, and since this feature is currently not available I am unable to investigate.


Over the next few months I will research more artifacts that might be left behind in Windows 8, and the behaviors that the new operating system brings with it. As more features are unlocked there is potential for more locations that must be analyzed to find the big picture.


轉自 http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html 

0 意見  

訂閱: 文章 (Atom)